Identity management user experience

ABSTRACT

Example embodiment of the present invention provide for assisting a user in managing the user&#39;s shared persona on a request-by-request basis. Upon requesting to share one or more types of identity information, the user is automatically presented with an interface through which the user can interact in selecting an amount of identity items to share. A subset of the total identity items selected may then be shared with specified entities. In another embodiment, the present invention assists a user in managing identity information that has been shared with others by providing the user with a visual list of entities for which the user has shared specified identity information. Other embodiments of the present invention use shared information about an entity to automatically provide the user with the ability to update identity information that has subsequently been edited.

CROSS-REFERENCE TO RELATED APPLICATIONS

N/A

BACKGROUND OF THE INVENTION

1. The Field of the Invention

The present invention generally relates to managing a computer user'sidentity information. More particularly, the present invention providessystems, methods, and computer program products for assisting a user inmanaging the user's shared persona on a request-by-request basis. Inaddition, the present invention provides the user with the capabilitiesto log, and later determine, entities for which the user's identityinformation is shared.

2. Background and Related Art

Computerized systems provide many advantages towards peoples' ability toperform tasks. Indeed, the computer system's ability to processinformation has transformed the way we live and work. Computing systemsnow take a wide variety of forms including desktop computers, laptopcomputers, tablet PCs, personal digital assistance (PDAs), and the like.Even household devices (such as refrigerators, ovens, sewing machines,security systems, and the like) have varying levels of processingcapability and thus may be considered computing systems. Processingcapabilities continue to be incorporated into devices that traditionallydid not have such processing power. Accordingly, the diversity trend ofcomputing systems will likely increase.

Along with computing systems, the Internet has revolutionized the waypeople communicate and has ushered in a new era in human history oftentermed the “information age.” In essence, the Internet includes a largeconstellation of networked computers that are spread out over much ofthe world. Sophisticated computers, software, and networking technologyhave made communication over the Internet fairly straight forward fromthe view point of the end user.

With the advent of the Internet, electronic messaging systems (e.g.,email, messaging boards, instant messaging (IM), chart rooms, securedtransactions, online shopping, etc.) have become an increasingly popularway to communicate information. For example, businesses increasinglyrely on electronic messages to share ideas, transmit documents, schedulemeetings, and perform a multitude of other every day tasks. Further,individuals utilize messaging systems to communicate and interact withfamily, friends, business associates, acquaintances, Internet sites, orany other desired individual or organization within one's interactivecommunity. Accordingly, such electronic messaging systems have expandedthe notion of a community far beyond any particular geographicallocation.

Within such interactive communities, often times it is desirable toexchange user identity or persona information. For example, individualsand businesses may desire to exchange contact information for people,groups, organizations, businesses, households, or any other identifiableentity with which they interact. Such information may include, forexample, a user's name, alias, telephone numbers, email addresses,instant messaging (IM) addresses, home address, web addresses, IPaddresses for alternate deliver schemes, public keys, tokens, currentprojects, schedule availability, etc. Further, individuals or businessesmay wish to have other user identity information distributed orpublished amid the community in which they interact such as hobbies,occupational specialties, affiliations, services provided, merchandisesold, etc.

Typically, in order for a user to utilize such identity or personainformation, the user must manually input such information into, e.g., acontact management system. The user must then be able to understand,manage, and control the flow of persona information to other entities,i.e., people, organizations, etc. Today, however, there is no easy orconsistent user experience around managing or sharing one's identityinformation. For example, each application and website has its ownunique process for registering, storing, and using identity information.Accordingly, identity information is typically sprinkled throughout thedistributed system, which makes the identity information difficult tofind, update, or even know that the information exists. Further, even ifthe user knows where to find the identity information there is currentlyno easy, fine grained way to manage sharing the persona on arequest-by-request basis.

For instance, a user may be-able to create different files or cards forvarious types of identity information; for example, one for personalcontact information, one for business contact information, one for legalidentity information (e.g., credit cards, social security number, driverlicense, etc.), one for digital identities (e.g., tokens, public keys,certificates, etc.), and so on. Accordingly, a user may then select fromthe various types of identity stored when sharing such persona withother entities. If, however, the user does not wish to share a portionof identity information within a file, the user must either modify theidentity card or create a new file for sharing.

While this process of modifying and/or creating a multitude of differentidentity types may work well for users with limited identityinformation, or for those who do not desire controlling their persona ona request-by-request basis, for other users there are still severalshortcomings to this process. For example, if the user creates differentcards or files for every possible combination of types of identityinformation, the number of permutations becomes extremely numerousrequiring high memory and other valuable computing resources. Further,the user must take the time to create the different number of possiblepermutations and remember the contents of each identity file created forsharing the information with others; thereby diminishing the userexperience. Accordingly, there exists a need for assisting a user inmodifying identity information on a request-by-request basis in a userfriendly way.

Another deficiency of current identity management systems is thedifficulty or inability to determine those entities with whom a user hasshared his/her persona. Often, a user desires to update or otherwiserevoke identity information for various entities. Currently, however,there is no automated way to determine what identity information hasbeen shared and with whom. As such, a user must rely on their own memoryfor determining what types of identities and with whom their persona hasbeen shared with. As one can see, this reliance on the user's own memorymakes it difficult (if not impossible) to know all of those entities andwhat type of identity information the user has shared.

In fact, the user might not even know that identity information has beenshared. For example, websites that do not support a database backendmight place cookies on one's machine (or elsewhere) in order to shareidentity information with the website each time it is visited by theuser. This information is often controlled by the website and typicallycannot be modified by the user—other than to delete the cookies.Further, the sharing of this information is typically transparent to theuser such that the user may not even know the identity contents or thatthe identity information has been shared. Accordingly, there exists aneed for being able to identify the entities for which specific types oritems of identity have been shared in order to have better control andmanagement over one's persona. A similar issue exists when the websiteuses a backend to store the identity information. In this case, thewebsite places an identification key to the database in the cookie orasks the user to log into the website in order to access informationstored in the web server database. The user, however, might not be awareof the information that s/he has shared with the site in the past.

Still another drawback of current identity management systems is thatthey do not provide the user with the ability to edit and storesensitive identity information in a secure environment. For example,each type and/or item of identity information is typically stored in anunencrypted format on the user's computer or in other databases.Accordingly, if a user leaves their computer on in an unlocked state, orif other rogue computers or software unintentionally installed by theuser have access to the user's files and/or database, an unauthorizeduser may access, edit, or otherwise use the identity information in aharmful way. Accordingly, there also exists a need to be able to ensurethat sensitive identity information is securely stored on the user'smachine and/or in other databases.

BRIEF SUMMARY OF THE INVENTION

The above-identified deficiencies and drawbacks of current identitymanagement systems are overcome through exemplary embodiments of thepresent invention. For example, the present invention provides forsystems, methods, and computer program products for assisting a user inmanaging the user's shared persona on a request-by-request basis. Moreparticularly, the present invention provides for automaticallypresenting the user with an interface through which the user caninteract to select an amount of different identity information the useris willing to share with specified entities. Other example embodimentsassist the user in managing identity information by providing the userwith a visual list of entities for which the user has shared specifiedidentity information. Still other example embodiments assist a user inmanaging identity information by automatically providing the user withthe ability to update identity information shared upon editing theidentity information.

In one embodiment, the present invention provides for receiving arequest to share a user's identity information with one or moreentities. The identity information includes available types of identityinformation such as the user's personal contact information, the user'sbusiness contact information, the user's legal information, or a digitalidentity for the user. Based on the request to share the user's identityinformation, this embodiment further provides for automaticallydisplaying a user interface that includes a list of identity itemscorresponding to the one or more available types of identityinformation. Thereafter, user input is received that selects ordeselects one or more identity items from the list of identity items forsharing a subset of the list of identity items with the one or moreentities. Based on the user input, the subset of the list of identityitems is sent to the one or more entities.

Other example embodiments provide for receiving a request fordetermining one or more entities for which one or more specifiedidentity items from identity information about a user has been shared.The identity information including available types of identityinformation such as the user's personal contact information, the user'sbusiness contact information, the user's legal information, or a digitalidentity for the user. A log file that includes shared information aboutthe entities is accessed for identifying which of the specified identityitems have been shared. Based on the shared information about the one ormore entities, a user interface is automatically generated that includesa list of the one or more entities for allowing the user to perform suchtasks as revocation, updating, and other tasks associated with theidentity information.

In yet another example embodiment, the present invention provides forreceiving a request to edit a user's identity information, whichincludes available types of identity information such as a user'spersonal contact information, the user's business contact information,the user's legal information, or a digital identity. Thereafter, userinput is received changing at least one identity item within theavailable types of identity information. Upon identifying that the atleast one identity item has changed, a log is accessed for determiningthe entities that the at least one identity item was shared with. Basedon the determined entities, the identity information on the one or moreentities' computing devices is automatically updated in accordance withthe changes from the user input.

Additional features and advantages of the invention will be set forth inthe description which follows, and in part will be obvious from thedescription, or may be learned by the practice of the invention. Thefeatures and advantages of the invention may be realized and obtained bymeans of the instruments and combinations particularly pointed out inthe appended claims. These and other features of the present inventionwill become more fully apparent from the following description andappended claims, or may be learned by the practice of the invention asset forth hereinafter.

BRIEF DESCRIPTION OF THE DRAWINGS

In order to describe the manner in which the above-recited and otheradvantages and features of the invention can be obtained, a moreparticular description of the invention briefly described above will berendered by reference to specific embodiments thereof which areillustrated in the appended drawings. Understanding that these drawingsdepict only typical embodiments of the invention and are not thereforeto be considered to be limiting of its scope, the invention will bedescribed and explained with additional specificity and detail throughthe use of the accompanying drawings in which:

FIG. 1 illustrates a distributed system for assisting a user in managingthe user's identity or persona information in accordance with exampleembodiments;

FIG. 2A illustrates a user interface showing a type of identityinformation that may be managed in accordance with example embodiments;

FIG. 2B illustrates a user interface for editing user identityinformation in accordance with example embodiments;

FIG. 2C illustrates a user interface for assisting a user in managingidentity items on a request-by-request basis in accordance with exampleembodiments;

FIG. 3 illustrates a flow diagram of a method of assisting a user inmanaging the user's shared persona on a request-by-request basis inaccordance with example embodiments;

FIG. 4 illustrates a flow diagram of a method of providing the user witha visual list of entities for which the user has shared specifiedidentity information in accordance with example embodiments of thepresent invention;

FIG. 5 illustrates a flow diagram -of a method of automaticallyproviding the user the ability to update identity information sharedupon editing the identity information in accordance with exampleembodiments; and

FIG. 6 illustrates an example system that provides a suitable operatingenvironment for the present invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

The present invention extends to methods, systems, and computer programproducts for managing a user's identity or persona information. Theembodiments of the present invention may comprise a special purpose orgeneral-purpose computer including various computer hardware componentsor modules, as discussed in greater detail below.

Prior to discussing various example embodiments of the present inventionin great detail, it is useful to define terms that will be usedconsistently throughout the detailed description. First, the terms“identity information” or “persona” define various types of identityinformation that a user may exchange or share with other entities (e.g.,people, corporations, computing devices, etc.). The “types of identityinformation” may include, but are not limited to, “personal contactinformation,” “business contact: information,” “legal information,”and/or “digital identities.” Within each type of identity informationare various “identity items” or “fields” that describe specific elementsof the types of identity information.

For example, the personal contact information type—as the nameimplies—typically refers to personal information about a user. Thisidentity type may include, but is not limited to, the following identityitems: the user's name; the user's home address; various phone numbersfor the user (e.g., home, cell, etc.); a personal email address for theuser; an instant messaging (IM) address; and other similar information.Further, personal contact information may also include more personalidentity items or fields, such as the user's birthday, likes, dislikes,a picture of the user, and other similar information.

Business contact information type, on the other hand, is more orientatedaround the type of business or industry the user may be associated with.For example, such information may include identity items such as acompany name, company address, a job title or description, products soldor services rendered, business email, fax number for the business,various telephone numbers for the business, occupational specialties,affiliations, current projects, web addresses, and other similarbusiness oriented items.

Legal information, as referred to herein, may include items or fieldsdirected toward more sensitive subject matter that a user may beunwilling or uncomfortable to, publicly share. Such information mayinclude, but is not limited to, identity items such: as the user'ssocial security number, credit card numbers, state identification (e.g.,driver's license, identification (ID) card, etc.), and other suchinformation.

In contrast to the other types of identity information, digital identitytypes, are more machine oriented ways of identifying the user orspecific machines the user is associated with. Items within the digitalidentity type may include such things as tokens, public/private keypairs, certificates, and other machine readable identity fields.

With the above-identified definitions in mind, one example embodiment ofthe present invention provides for assisting a user in managing theuser's shared persona on a request-by-request basis. Upon requesting toshare one or more types of identity, information, the user isautomatically presented with an interface through which the user caninteract in selecting an amount of identity items to share. A subset ofthe total identity items selected may then be shared with specifiedentities. In another embodiment, the present invention assists a user inmanaging identity information that has been shared with others byproviding the user with a visual list of entities for which the user hasshared specified identity information. The list may be generated basedon the type of identity information, or based on a more granular levelsuch as an identity item or field shared. Other embodiments of thepresent invention use shared information about an entity toautomatically provide the user with the ability to update identityinformation that has subsequently been edited.

FIG. 1 illustrates a distributed system configured to implement variousexample embodiments described above. As shown, a distributed system 100is provided that allows a user 115 to share identity information withvarious entities 145. A user's computing device 115 may receive arequest to share identity information with the entities 145. Uponreceiving the request, the identity information stored in store 120 maybe accessed in order to determine the types 130 of identity informationthat are available to be shared. As shown, each type 130 of identityinformation (i.e., personal contact, business contact, legalinformation, and digital identities) may include various identity items135 as described above. As will be described in greater detail below,these types 130 of identity information and items 135 within each type130 are then used to present the user with a user interface forselecting the individual items 135 that are desired to be shared withthe specified entities 145.

Note that although typically only one type 130 of identity informationwill be sent to the different entities 145, the present invention is notlimited to a single type 130 or combination of items 135 within anyspecific type 130. For example, various items 135 from the legalinformation type 130 may be mixed within personal contact items 135 fromthe personal contact type 130 when, e.g., purchasing merchandise overthe Internet. In fact, any of the various types 130 and items 135 withineach type 130 may be mixed or matched depending upon the desires of theuser, and possibly how a user defines his/her templates, as described ingreater detail below with regards to FIGS. 2A-2C. Accordingly, the useof any specific type 130 of identity information and items 135associated therewith for sharing, as described herein, are forillustrative purposes only and are not meant to limit or otherwisenarrow the scope of the present invention unless explicitly claimed.

Regardless of the type 130 of identity information or particular items135 within each type 130, upon requesting to share identity informationexample embodiments provide for automatically generating a userinterface 117 that includes a list of identity items 135 for one or moretypes 130s of identity information. The user may then interact with theuser interface 117 for choosing the identity items 135 that the userwishes to send to the entities 145. In-particular, as described ingreater detail below, the user may select or deselect each item 135 toproduce a subset of identity items 125 that will be sent to the entities145. Note that although the term “subset” was used to describe only aportion of the available identity information, the subset may includeall the items 135 available. For example, the user may choose to selectall available identity items 135 for one or more of the types 130 ofidentity information. As such, the term “subset,” as defined herein,should be broadly construed to include all or a portion of all items 135available in one or more types 130 of identity information.

In any event, this automated user interface 117 that assists the user insharing items 135 of identity through an easily understandable selectionand de-selection process advantageously enhances the user experiencethrough ease in accessing and selecting items 135s of interest. Inparticular, because the user is able to select or deselect those items135 of interest, there is no need to create and remember the contents ofmultiple types 130 of identity information. In addition, only a singletemplate for each of the various types 130s of identity information isneeded, thereby reducing memory and other computing requirements forexchanging identity information. Accordingly, the user is able to managethe distribution of the identity information on a request-by-requestbasis in an enhanced user experience, while preserving valuablecomputing system resources.

In another embodiment, note that various items 135 within each type 130of identity information may be edited in a secure environment. Forexample, the user may have sensitive items 135 that the user feelsuncomfortable or is unwilling to publicly distribute or share. In orderto prevent unauthorized access to these items, the present inventionprovides a mechanism for securing, by password, smartcard, or anotherauthentication method, the identity information. For instance, all or aportion of the legal type 130 of identity information may be consideredsensitive. As such, the user may request that the information be securedby lock 140. In such instance, example embodiments will request at leasta password (and possibly a user name), or some stronger authenticationmethod, to protect 140 or otherwise encrypt the sensitive subjectmatter. Accordingly, in order to subsequently send or otherwise edit theinformation, the user will need to know the correct password or secretto decrypt the identity information.

Note that the password or secret may be a default value, such that theuser does not need to enter a new password or secret for each item 135or type 130 of identity information requested for securing 140. Furthernote that depending on where the identity information is stored andother computing capabilities, individual items 135 or complete types 130may be secured. In addition, the encrypted identity information may bestored as a file locally in a wells known directory (e.g., in credentialmanager) or on a database that supports storing encrypted data incolumns. Also note that other: items 135 or types 130 of identityinformation other than the legal information type 130 may also beprotected 140. Accordingly, any specific way of securing and storing thesensitive subject matter, or any specific item 135 or type 130 ofidentity information; secured 140, are used herein for illustrativepurposes only and are not meant to limit or otherwise narrow the scopeof the present invention unless explicitly claimed.

The above described security feature advantageously protects sensitiveidentity information from unauthorized access. Accordingly, if the userleaves his/her computer on, in an unlocked state, or if others haveaccess to folders where the sensitive subject matter is stored,unauthorized users will be unable to access the locked 140 identityinformation without the proper credentials.

In another example embodiment shown in FIG. 1, an identity log 105 isprovided that can be used to identify entities 145 for which the userhas shared the subset of identity items 125. For example, when thesubset of identity items 125 are, sent from the user's computing device115 to the entities 145, various shared information 110 about theentities 145 and the subset of identity items 125 shared may be storedin identity log 105. Such shared information 110 may include, e.g., theentity name, the items 135, and/or the type 130 of identity informationshared. Other information such as the transport used to share theidentity information (e.g., HTTP (HyperText Transport Protocol), FTP(File Transfer Protocol), SMTP (Simple Message, Transfer Protocol), TCP(Transmission Control Protocol), UDP (User Datagram Protocol), SMS(Short Message Service), SNA (Systems Network Architecture), GPRS(General Packet Radio Service), or other transports), the address of theentities 145, and other useful shared information 110 can also be storedin identity log 105 for subsequent use. Accordingly, upon request, theuser may receive a list of entities 145 and other shared information 110regarding the identity information for which the user has shared.

For instance, the user may request a listing of entities 145 for which aspecific identity item 135 or specific type 130 of identity informationhas been shared. Each shared information 110 file within the identitylog 105 may then be scanned to determine those entities 145 for whichthe specific identity information was shared. A list of the entities145, as well as other requested shared information 110, may then bepresented in user interface 117.

Note that any subset of shared information 110 stored in the identitylog 105 may be presented to the user for management purposes. In fact,the user may request the type 130 of identity information or items 135shared for a specific entity 145. Accordingly, the use of any specificshared information 110 displayed or used, as described herein, is forillustrative purposes only and is not meant to limit or otherwise narrowthe scope of the present invention unless explicitly claimed.

In another example embodiment, the shared information 110 withinidentity, log 105 can be used to automatically update identityinformation shared with entities 145 upon editing the identityinformation shared. For example, user 115 may request to edit one ormore items 135 from the types 130 of identity information. Upon editingand saving the identity information, the log 105 may be automaticallyscanned in determining those entities 145 that previously received theedited identity information. The appropriate shared information 110 forentities 145 that previously received the unedited identity informationmay then be used for updating the identity information on the entities'145 s′ computing devices. For instance, upon receiving an indicationthat identity information has changed, user's computing device may scanlog 105 for determining those entities for which the identityinformation was subsequently shared. The shared information 110 for eachidentity entity 145 may then be used to determine such information asthe transport and address of an entity 145 to use in automatically,updating the shared identity information for entities 145. Uponaccessing the appropriate shared information 110, the user's computingdevice 115 can automatically update the corresponding entities' 145 s′computing devices.

Note that as part of the automatic updating for edited identityinformation, the user may also be presented with a prompt or otherwiselist of entities for which the user has shared the edited identityinformation. The user may then be prompted to select (or give some otherappropriate indication of) those entities 145 in which the user wouldlike the edited identity information updated. Note also that theidentity log 105 and shared information 110 may be used for otherfunctions other than just updating identity information. For example, inmanaging shared identity information a user may use the identity log105, and the shared information 110 therein, to revoke specifiedidentity information shared with entities 145. Accordingly, the mannerin which the identity information is automatically updated and anyspecific use of the identity log 105—and shared information 110therein—are for illustrative purposes only and are not meant to limit orotherwise narrow the scope of the present invention unless explicitlyclaimed.

Further note that access to the identity information on the entity 145side may, or may not, be available in certain instances. For example,the user's computing device 115 may not be authorized to access theidentity information on the entity 145 side or cannot identify aspecific transport, address, and/or other shared information 110 used toupdate the entities 145. In such instance, other actions are alsoavailable to the present invention. For example, if the entities 145have stored the identity information for the user in a database that isnot accessible by the user's computing device 115, a message may be sentto the user, the entities 145, or both, indicating that the identityinformation has changed but is unavailable to be updated. As such, theidentity information that has been edited may be sent in the message tothe entities 145 allowing the entities 145 to update the information ina semi-manual process.

Of course, other notifications and processes for updating the editedinformation are also available to the present invention. Accordingly,the use of the term “automatic update” should be broadly construed toinclude all of the well known ways of updating the identity informationthat has changed. Accordingly, any specific process or mechanism forupdating the entities' 145 s′ computing devices are used forillustrative purposes only and are not meant to limit or otherwisenarrow the scope of the present invention unless explicitly claimed.

FIGS. 2A-2C illustrate various user interfaces, which can be used inpracticing various embodiments described above. It should be noted thatin each of the following user interfaces there are various designs,features, and objects for accomplishing one or more of the functionsassociated with the example embodiments of the present invention. Thereexists, however, numerous alternative user interface designs bearingdifferent aesthetic aspects for accomplishing these functions.Accordingly, the aesthetic layout of the user interface for FIGS.2A-2C—as well as the graphical objects described therein—are used forillustrative purposes only and are not meant to limit or otherwisenarrow the scope of the present invention.

FIG. 2A illustrates a user interface 200 of an example personal contacttype 205 displaying various identity items 210 as described above. Notethat in this example the personal contact 205 is set as a default, whichin one embodiment means that upon requesting to send identityinformation to various entities the personal contact type 205 will bethe default template used. As shown, however, the identity wizard 200may be used to set custom identity types and (as described below) chooseother default types 205 to be used.

For example, as shown in. FIG. 2B, a user can use interface 200 (i.e.,identity wizard) to edit and enter identity information for a particulartype (in this example, personal contact type). Various identity items210 may be added and deleted using button 215 or otherwise edited inaccordance with the user's desire. In addition, as shown, the user mayuse interface 200 to choose another default identity type 225. Aspreviously noted, although a dropdown box is used to select otherdefaults 225 other graphical objects and aesthetic designs well know inthe industry are also available to the present invention.

Further note that identity wizard 200 allows for securing items 210using, e.g., secure items button 220. In such an event, as describedabove, individual identity items 210 or a whole identity type may besecured using a password or other secret and well known encryptionmethods. Such an advantageous feature is particularly useful in securingsensitive information that a user is unwilling or uncomfortable to sharepublicly, for example, the legal information as described herein.Accordingly, upon selecting secured items 220 a popup screen or othertype of user interface can be presented to the user for selecting eitherindividual items 210 or whole types to secure. Upon selection, the usermay then be prompted for such things as user name, password, etc., forsecuring the desired identity information. Of course, as previouslymentioned, the password and/or user name may be a default that isautomatically selected without user input.

FIG. 2C illustrates an example of a user interface 200 that may bepresented to the user when sharing identity information with otherentities. Accordingly, upon requesting to share a type of identityinformation (in this example a business contact type) the user ispresented with user interface 200 for choosing those identity items 210that the user wishes to share. Note that in this example embodiment, thevarious identity items 210 may be selected or unselected as the userdesires using check boxes 230. Further note that although check boxes230 are used for selecting and deselecting identity items 210, othergraphical interactive objects are also available to the presentinvention. For example, radio buttons, highlighting, or other objects ormechanisms to select and deselect items 210 are also available.Accordingly, as previously stated, other graphical objects and aestheticdesigns well known in the industry are also available to the presentinvention.

Regardless of the aesthetic layout or objects used for selectingidentity items 210, other example embodiments provide a mechanism forallowing the user to set a default or a template of selected identityitems 210 that may be automatically selected (or unselected as the casemay be) upon the request to share the identity information. Accordingly,the user may create a template selecting the various items within eachtype of identity information that is most commonly desired to beexchanged. As shown in this example, the user's name, company, emailaddress, and picture have been selected as the default or template forsending identity information. Note, that the template may have beencreated in the edited user interface 200 from FIG. 2B, or any othersubsequent or well known ways to create such templates. Note that adigital identity 235 or other identity items and types may also be mixedwith any other particular identity items or types as previouslymentioned.

As will be appreciated, management of digital identity items inaccordance with example embodiments described herein has severaladvantageous features. For example, a user may have certificates foraccess to a wireless or other network in business relationship that theymay not want distributed among a wide variety of entities. Nevertheless,the user may wish to communicate with other entities over other mediumssuch as instant message, voice over IP, etc. As such, the entities theywish to communicate with need the appropriate digital identities inorder to communicate with the user. As such, the user can choose thosedigital identity items that are appropriate for the type ofcommunication desired. In fact, example embodiments support theselection and distribution of a plurality of different digital identityitems. In this exemplary embodiment, the entities may be provided with aplurality of different digital identities that may be used tocommunicate with the user over a variety of mediums. This advantageouslyprovides the entities with the continued attempt of using the differentdigital identities for determining the appropriate one to use in thespecific communication; yet allows the user tighter management over howthose digital identities are distributed to the various entities.

The present invention may also be described in terms of methodscomprising functional steps and/or non-functional acts. The following isa description of steps and/or acts that may be preformed in practicingthe present invention. Usually, functional steps describe the inventionin terms of results that are accomplished whereas non-functional actsdescribe more specific actions for achieving a particular result.Although the functional steps and/or non-functional acts may bedescribed or claimed in a particular order, the present invention is notnecessarily limited to any particular ordering or combination of stepsand/or acts. Further, the use of steps and/or acts in the recitation ofthe claims—and in the following description of the flowchart for FIGS. 2and 3—is used to indicate the desired specific use of such terms.

FIGS. 3-5 illustrate flow diagrams for various exemplary embodiments ofthe present invention. The following description of FIGS. 3-5 willoccasionally refer to corresponding elements from FIGS. 1 and 2A-2C.Although reference may be made to a specific element from these Figures,such elements are used for illustrative purposes only and are not meantto limit or otherwise narrow the scope of the present invention unlessexplicitly claimed.

FIG. 3 illustrates a method 300 of assisting a user in managing theuser's shared persona on a request-by-request basis by automaticallypresenting the user with and interface through which the user caninteract to select an amount of identity information that user iswilling to share with a specified entity. Method 300 includes an act ofreceiving 305 a request to share a user's identity information with oneor more entities. For example, the user's computer device 115 mayreceive a request to share the user's identity information with the oneor more entities 145. The identity information 120 includes availabletypes 130 of identity information such as a user's personal contactinformation, business contact information, legal information, or adigital identity for the user. In the event that the type 135 ofidentity information 120 is legal information, such legal informationmay be encrypted and the user would then need to enter a password,username, or both, to decrypt the legal information before being allowedto share the identity items for the legal information.

Based on the request to share the user's identity information, method300 also includes an act of automatically displaying a user interfacethat includes a list of identity items. For example, after receiving therequest, user's computer device 115 may display user interface 117 (ormore specifically user interface 200 in FIG. 2C) that includes a list ofidentity items 135 corresponding to the available types 130 of identityinformation selected. The list of identity items 135 for the user'spersonal contact information may include a name, home address, telephonenumber, email address, birthday, likes, dislikes, picture, etc. The listof identity items 135 for the user's business contact information mayinclude the user's name, a company name, a company address, email, faxnumber, telephone number, job title, products sold or services render,etc. The user's legal information, on the other hand, will typicallyinclude sensitive information that a user would be unwilling oruncomfortable to share publicly such as a credit card number, a socialsecurity number, a state identification number, etc.

After automatically displaying the list of identity items, method 300includes an act of receiving user input that selects or deselects one ormore identity items. For example, as shown in FIG. 2C, using userinterface 200 a user can select or deselect the identity items 210 fromthe list of identity items for sharing a subset 125 of the list ofidentity items with entities 145. The list of identity items 210 mayhave a default setting or template selecting an automatic subset 125 ofthe list of identity items. This default settings or template may becreated by the user at the time of creating the various types 130 ofidentity information.

Based on the user input, method 300 also includes an act of sending 325the subset of the list of identity items to the one or more entities.For example, after receiving the user's selection of the identity items135 to send, user's computing device. 115 may send the subset ofidentity items 125 to the various entities 145.

Other exemplary embodiments provide that prior to automaticallydisplaying the user interface 117, 200 that includes the list ofidentity items 135, 210 the above process may also present the user witha visual display of available types of 130 identity information the usercan select from. Thereafter, user input may be received by selecting thetypes 130 of information for sharing with entities 145. Accordingly, theautomatic display of user interface 117, 200 that includes a list ofidentity items 135, 210 may be further based on the selection of thetypes 130 of identity information.

Note that still other exemplary embodiments provide that if theavailable types 130 of identity information are the digital identity,such digital identity information may include a plurality of identityitems 135 corresponding to different digital identities for theuser/user's computing device 115. Accordingly, the user can select fromvarious different digital identities for sharing with the entities 145.

FIG. 4 illustrates a method 400 of assisting a user in managing identityinformation shared with other entities by providing the user with avisual list of entities for which the user has shared specific identityinformation. Method 400 includes an act of receiving 405 a request fordetermining one or more entities for which one or more specifiedidentity items from identity information about a user has been shared.For example, user's computing device 115 may receive a request fordetermining entities 145 for which specified identity items 135 fromidentity information about the user has been shared. As previouslymentioned, the identity information 120 may include the available typesof identity information 130 such as the user's personal contactinformation, the user's business contact information, the user's legalinformation, or a digital identity for the user. In addition, thespecified identity items 135 for each of the types 130 of identityinformation may include any of those previously described and other wellknown identity items.

Method 400 also includes an act of accessing 410 a log file thatincludes information about the one or more entities. For example, uponreceiving the request described above, user's computing device 115 mayaccess identity log 105, which includes shared information 110 about theentities 145 for which the specified identity items 135 have beenshared. Based on the shared information about the entities, method 400also includes an act of automatically generating 415 a user interfacethat includes a list of the one or more entities. For example, user'scomputing device 115 can access the shared information 110 about theentities 145 and automatically generate a user interface that includesthe list of shared information 110 about the entities and other desiredinformation. This list of entities 145 and shared information 110 may beused by the user to perform such tasks as revocation, updating, andother tasks associated with the identity information.

The user interface that includes the list of entities 145, as describedabove, may further be automatically generated based upon the user'srequest to update the identity items 135. Alternatively, or inconjunction, the user interface may be automatically generated based onthe user's request to revoke the identity items 135 from the entities145.

FIG. 5 illustrates a method 500 of assisting a user in managing identityinformation by automatically providing the user the ability to updateidentity information shared upon editing the identity information.Method 500 includes an act of receiving 505 a request to edit a user'sidentity information. For example, user's computing device 115 mayreceive a request to edit a user's identity information 120, whichincludes the types 130 of identity information such as the user'spersonal contact information, the user's contact business information,the user's legal information, or digital identity for the user. In theevent that the type 130 of identity information is legal information,such legal information may be encrypted and the user would then need toenter a password, username, or both, to decrypt the legal informationbefore being allowed to edit identity items for the legal information.

Method 500 also includes an act of receiving 510 user input changing atleast one identity item within the one or more available types ofidentity information. Thereafter, method 500 further includes a step forautomatically updating 530 the identity information on the entities'computing devices.

Step for 530 further includes the following acts: an act of identifying515 that the at least one identity item has changed; an act of accessing520 a log for determining, one or more entities that the at least oneidentified item was shared with; and an act of sending 525 a request toupdate the identity information on the entities' computing devices inaccordance with the changes from the user. For example, user's computingdevice 115 upon identifying that an identity item 135 has changed, mayaccess identity log 105 for determining entities 145 that the identityitem 135 was shared with. Thereafter, a request to update the identityinformation 120 on the entities' 145 s′ computing devices may be sent inaccordance with the changes from the user.

Prior to the automatic updating of the identity information, the usermay be presented with a prompt asking the user if the identityinformation should be updated on the entities' 145 s′ computing devices.In the event that the identity information cannot be automaticallyupdated on the entities' 145 s′ computing devises due to access or otherrestrictions, a message may be sent to the user informing them of therestriction. A message may also be sent to the entities 145 indicatingthat the identity information has changed. Further, the message sent tothe entities 145 can include the updated identity information forallowing the entities 145 to update the identity information in asemi-automated fashion.

Embodiments within the scope of the present invention also includecomputer-readable media for carrying or having computer-executableinstructions or data structures stored thereon. Such computer-readablemedia can be any available media that can be accessed by a generalpurpose or special purpose computer. By way of example, and notlimitation, such computer-readable media can comprise RAM, ROM, EPROM,CD-ROM or other optical disk storage, magnetic disk storage or othermagnetic storage devices, or any other medium which can be used to carryor store desired program code means in the form of computer-executableinstructions or data structures and which can be accessed by a generalpurpose or special purpose computer. When information is transferred orprovided over a network or another communications connection (eitherhardwired, wireless, or a combination of hardwired or wireless) to acomputer, the computer properly views the connection as acomputer-readable medium. Thus, any such connection is properly termed acomputer-readable medium. Combinations of the above should also beincluded within the scope of computer-readable media.Computer-executable instructions comprise, for example, instructions anddata which cause a general purpose computer, special purpose computer,or special purpose processing device to perform a certain function orgroup of functions.

FIG. 6 and the following discussion are intended to provide a brief,general description of a suitable computing environment in which theinvention may be implemented. Although not required, the invention willbe described in the general context of computer-executable instructions,such as program modules, being executed by computers in networkenvironments. Generally, program modules include routines, programs,objects, components, data structures, etc. that perform particular tasksor implement particular abstract data types. Computer-executableinstructions, associated data structures, and program modules representexamples of the program code means for executing steps of the methodsdisclosed herein. The particular sequence of such executableinstructions or associated data structures represents examples ofcorresponding acts for implementing the functions described in suchsteps.

Those skilled in the art will appreciate that the invention may bepracticed in network computing environments with many types of computersystem configurations, including personal computers, hand-held devices,multi-processor systems, microprocessor-based or programmable consumerelectronics, network PCs, minicomputers, mainframe computers, and thelike. The invention may also be practiced in distributed computingenvironments where tasks are performed by local and remote processingdevices that are linked (either by hardwired links, wireless links, orby a combination of hardwired or wireless links) through acommunications network. In a distributed computing environment, programmodules may be located in both local and remote memory storage devices.

With reference to FIG. 6, an example system for implementing theinvention includes a general purpose computing device in the form of aconventional computer 620, including a processing unit 621, a systemmemory 622, and a system bus 623 that couples various system componentsincluding the system memory 622 to the processing unit 621. The systembus 623 may be any of several types of bus structures including a memorybus or memory controller, a peripheral bus, and a local bus using any ofa variety of bus architectures. The system memory includes read onlymemory (ROM) 624 and random access memory (RAM) 625. A basicinput/output system (BIOS) 626, containing the basic routines that helptransfer information between elements within the computer 620, such asduring start-up, may be stored in ROM 624.

The computer 620 may also include a magnetic hard disk drive 627 forreading from and writing to a magnetic hard disk 639, a magnetic diskdrive 628 for reading from or writing to a removable magnetic disk 629,and an optical disc drive 630 for reading from or writing to removableoptical disc 631 such as a CD-ROM or other optical media. The magnetichard disk drive 627, magnetic disk drive 628, and optical disc drive 630are connected to the system bus 623 by a hard disk drive interface 632,a magnetic disk drive-interface 633, and an optical drive interface 634,respectively. The drives and their associated computer-readable mediaprovide nonvolatile storage of computer-executable instructions, datastructures, program modules and other data for the computer 620.Although the exemplary environment described herein employs a magnetichard disk 639, a removable magnetic disk 629 and a removable opticaldisc 631, other types of computer readable media for storing data can beused, including magnetic cassettes, flash memory cards, digitalversatile discs, Bernoulli cartridges, RAMs, ROMs, and the like.

Program code means comprising one or more program modules may be storedon the hard disk 639, magnetic disk 629, optical disc 631, ROM 624 orRAM 625, including an operating system 635, one or more applicationprograms 636, other program modules 637, and program data 638. A usermay enter commands and information into the computer 620 throughkeyboard 540, pointing device 642, or other input devices (not shown),such as a microphone, joy stick, game pad, satellite dish, scanner, orthe like. These and other input devices are often connected to theprocessing unit 621 through a serial port interface 646 coupled tosystem bus 623. Alternatively, the input devices may be connected byother interfaces, such as a parallel port, a game port or a universalserial bus (USB). A monitor 647 or another display device is alsoconnected to system bus 623 via an interface, such as video adapter 648.In addition to the monitor, personal computers typically include otherperipheral output devices (not shown), such as speakers and printers.

The computer 620 may operate in a networked environment using logicalconnections to one or more remote computers, such as remote computers649 a and 649 b. Remote computers 649 a and 649 b may each be anotherpersonal computer, a server, a router, a network PC, a peer device orother common network node, and typically include many or all of theelements described above relative to the computer 620, although onlymemory storage devices 650 a and 650 b and their associated applicationprograms 636 a and 636 b have been illustrated in FIG. 6. The logicalconnections depicted in FIG. 6 include a local area network (LAN) 651and a wide area network (WAN) 652 that are presented here by way ofexample and not limitation. Such networking environments are commonplacein office-wide or enterprise-wide computer networks, intranets and theInternet.

When used in a LAN networking environment, the computer 620 is connectedto the local network 651 through a network interface or adapter 653.When used in a WAN networking environment, the computer 620 may includea modem 654, a wireless link, or other means for establishingcommunications over the wide area network 652, such as the Internet. Themodem 654, which may be internal or external, is connected to the systembus 623 via the serial port interface 646. In a networked environment,program modules depicted relative to the computer 620, or portionsthereof, may be stored in the remote memory storage device. It will beappreciated that the network connections shown are exemplary and othermeans of establishing communications over wide area network 652 may beused.

The present invention may be embodied in other specific forms withoutdeparting from its spirit or essential characteristics. The describedembodiments are to be considered in all respects only as illustrativeand not restrictive. The scope of the invention is, therefore, indicatedby the appended claims rather than by the foregoing description. Allchanges which come within the meaning and range of equivalency of theclaims are to be embraced within their scope.

1. At a computing device in a distributed system, a method of assistinga user in managing the user's shared persona on a request-by-requestbasis by automatically presenting the user with an interface throughwhich the user can interact with to select an amount of identityinformation the user is willing to share with a specified entity, themethod comprising acts of: the computing device receiving a request fora user having identity information accessible to the computing device toshare the user's identity information with a third party; in response tothe request, automatically displaying a new user interface to the userat the computing device, the new user interface enabling the user toselectively control which of the user's identity information to sharewith the third party in response to the request, the new user interfaceincluding: a plurality of contact information labels; a list of aplurality of identity items which are sharable with the third party, theplurality of identity items corresponding to the user's identityinformation as identified by the plurality of contact informationlabels; an item-by-item selection mechanism comprising interactivegraphical objects, including at least one of check boxes, radio buttonsor highlighting elements, by which each of the plurality of identityitems for the user is independently selectable and deselectable, therebyallowing the user to, from the new user interface, select anycombination of the plurality of listed identity items for sharing withthe third party, including a plurality of items, and while continuing todisplay each of the plurality of contact information labels and each ofthe plurality of identity items for the user; and receiving input fromthe user selecting or deselecting one or more identity items from thelist of the plurality of identity items; based on the user input,sending the user's identity information corresponding to the selectedone or more identity items to the third party; accessing a log file thatincludes shared information about the one or more entities, includingthe third party, with whom the user has shared one or more specifiedidentity items, as well as information about the one or more entitiesthat includes at least an address associated with each of the one ormore entities; receiving a request from the user to update the one ormore specified identity items with edited information; automatically, inresponse to the user request to update and based on the sharedinformation in the log file, displaying a list of the one or moreentities that have received the one or more specified identity items;prompting the user to identify one or more identified entities of theone or more listed entities to have the edited information sent to; andsending the edited information to the one or more identified entitiesusing at least the address associated with each of the one or moreentities.
 2. The method of claim 1, wherein prior to automaticallydisplaying the user interface that includes the list of identity items,the method further comprises acts of: presenting the user with a visualdisplay of the available types of identity information the user canselect from; and receiving user input selecting one or more of the typesof identity information for sharing with the one or more entities, andwherein the automatic display of the user interface that includes a listof identity items is further based on the selection of the one or moretypes of identity information.
 3. The method of claim 2, wherein thelist of identity items for the user's personal contact informationinclude one or more of a name, home address, telephone number, emailaddress, instant messaging address, birthday, likes, dislikes, apicture, and wherein the list of identity items for the user's businesscontact information include one or more of the user's name, a companyname, company address, email alias, fax number, telephone number, jobtitle for the user, and wherein the list of identity items for theuser's legal information includes one or more of a credit card number, asocial security number, state identification number, or some othersensitive information that a user would be unwilling or uncomfortable toshare publicly.
 4. The method of claim 3, wherein the legal informationis encrypted and the user must use one or more of a password, user name,or smartcard to decrypt the legal information.
 5. The method of claim 4,wherein at least a portion of the encrypted legal information is storedon a server.
 6. The method of claim 3, wherein at least one of theavailable types of identity information is the digital identity for theuser, and wherein the digital identity information includes a pluralityof identity items corresponding to different digital identities for theuser, and wherein the user selects one or more of the different digitalidentities for sharing with the one or more entities.
 7. The method ofclaim 1, wherein the list of identity items have a default settingselecting an automatic subset of the list of identity items, and whereina template created from the user is used to identity the defaultsettings.
 8. At a computing device in a distributed system, a method ofassisting a user to update identity information by automaticallyproviding the user the ability to update identity information sharedupon editing the identity information, the method comprising acts of:receiving a request from a user to edit the user's own identityinformation, which identity information includes one or more availabletypes of identity information including one or more of the user'spersonal contact information, the user's contact business information,the user's legal information, or a digital identity for the user;receiving user input changing at least one identity item within the oneor more available types of information, the input being received throughan interface that allows the user to make an item-by-item selection ofidentity items to send to one or more entities, as well as to edit theat least one identity item, the identity information corresponding tothe at least one identity item having been sent to the one or moreentities in response to previous user input; identifying that the atleast one identity item has changed in response to the user input;automatically, in response to identifying that the at least one identityitem has changed, scanning a log and determining one or more entitiesthat the at least one identity item has been shared with prior to beingchanged, wherein the log specifically identifies the one or moreentities that the at least one identity item was shared with, as well asat least one address associated with each of the one or more entities;and based on the determined one or more entities from the log,automatically updating the identity information on the one or moreentities' computing devices in accordance with the changes from the userinput and by sending updated information corresponding to the changedidentity item to the one or more entities using the at least one addressassociated with each of the one or more entities.
 9. The method of claim8, wherein prior to automatically updating the identity information, theuser is presented with a prompt asking the user if the identityinformation should be updated the one or more entities' computingdevices.
 10. The method of claim 8, wherein the identity information onat least one of the one or more entities' computing devices cannot beautomatically updated due to access restrictions, and wherein a messageis sent to the user informing them of the access restriction.
 11. Themethod of claim 10, wherein a message is also sent to the one or moreentities indicating to them that the identity information has changed.12. The method of claim 11, wherein the message sent to the one or moreentities includes an update of the identity information.
 13. The methodof claim 8, wherein the legal information is encrypted and the user mustenter a password, user name, or both, to decrypt the legal informationbefore being allowed to edit one or more identity items for the legalinformation.
 14. The method of claim 13, wherein at least a portion ofthe encrypted legal information is stored on a server.
 15. The method ofclaim 12, wherein, the user's identity information includes each of theuser's personal contact information, the user's contact businessinformation, the users legal information, and a digital identity for theuser, and wherein receiving a request to edit the user's identityinformation comprises: determining that all of the legal information andat least some of the user's other identity information is secured by alock, thereby marking the information as sensitive and for edit only ina secure environment requiring user authentication, wherein userauthentication requires at least one of: (i) a username and passwordcombination; (ii) a password; or (iii) a smartcard, for authenticationto authorize decrypting and editing of the information; determining thatat least some of the user's personal contact information, businessinformation or digital identity are not secured by a lock, therebyallowing the information to be edited outside of the secure environment;the method further includes saving the identity information as updatedidentity information after receiving the user input changing the atleast one identity item; accessing the log is performed automatically,upon saving the updated identity information; and automatically updatingthe identity information on the one or more entities' computing devicesincludes, for each entity determined from the log to have receivedidentity information corresponding to the updated identity information:determining an address of the entity in the log; determining a transportfor use in updating the identity information on the one or moreentities' computing devices; and prompting the user for a list of otherentities for which the user has shared identity informationcorresponding to the updated identity information.
 16. The method ofclaim 13, wherein at least a portion of the encrypted legal informationis stored on the user's computing device.